Due to the increasing amount of networking to the outside world, connected cars are becoming increasingly attractive targets for attacks. If an attacker succeeds in gaining access to the internal network of a vehicle, they can cause a great deal of damage. For this reason, T-Systems continuously analyzes attack scenarios and develops detection algorithms. As a software detective in the car, an intrusion detection system (IDS) monitors the on-board network and system.
With an IDS as a software module on the central gateway in the car, communication within the vehicle network can be monitored for anomalies in real time. If the IDS detects a known malfunction, it triggers a defensive response – previously agreed with the vehicle manufacturer – to protect the vehicle (Intrusion Prevention System, IPS). This is to prevent a cyberattack on the internal vehicle network from affecting vehicle functions and endangering the safety of vehicle occupants.
The IDS sends all alarms to the manufacturer's back end, where the data is analyzed using modern machine learning methods and sent back to the vehicle. The IDS back end can be linked flexibly to the manufacturer's systems or provided in an Automotive Security Operation Center. Anomalies are categorized in this automotive SOC and form the basis for the ongoing process strategy, in order to protect both the driver and the vehicle immediately and in the future against the risks of hacker attacks.
Workflows based on the data analysis of the results
According to the principle "Security by Design", companies should think about and plan intrusion detection systems in the early stages of vehicle development. The IDS can be implemented in different ways based on the vehicle's internal network and control unit structure. On every complex control unit, for example, a sensor component can be used to detect anomalies in firmware, CAN bus traffic, and sensor data. These sensors report detected anomalies to the IDS core component, which runs on a central control unit with a gateway function (including firewall). The core component can perform more complex analyses and communicate with the manufacturer's back end via the telematic control units.
In modern connected cars, vehicle servers and virtualization reduce the number of control units required – and with that the complexity, too. Similar to the functions of modern ECUs, the IDS software can also run as a function block on the virtualization layer of the vehicle server. The capabilities of the IDS can also be extended to monitor processes and functions on the vehicle server and detect malicious behavior.
T-Systems offers companies in the automotive industry an intrusion detection system with ESLOCKS (Embedded Security Locks) as a customized service. How it works: An Autosar-compliant on-board software for detecting anomalies dynamically compares the target behavior of communication in the vehicle. If the current network traffic does not match the defined behavior or shows suspicious activity, the next step is for the IDS to classify the traffic as known or unknown anomalies.
A back end connection is an essential part of the process. The back end is supplied with information on unknown anomalies from all of the vehicles in a fleet. As a result of this, large amounts of data are gradually accumulated in the back end, which can be evaluated using machine learning methods based on a big-data cluster. The aim of bulk data evaluations is to determine whether unknown anomalies are normal traffic (target behavior) or an attack (new anomaly).
If an automotive SOC is connected to the back end, forensic experts can take care of evaluating the analysis results from the intrusion detection. The information obtained is processed and transmitted back to the vehicles as a signature update. The on-board software is thus continuously optimized thanks to the continually growing database – and can protect the car against newly identified threats via intrusion prevention.